Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make readOnlyRootFilesystem configurable (#93)

Browse source
This commit is contained in:
Jason O'Donnell 2019-10-24 12:40:19 -04:00 committed by GitHub
parent 2ca3fd2214
commit e1b89d6396
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 79 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
templates/server-statefulset.yaml
View file

@ -41,7 +41,9 @@ spec:
terminationGracePeriodSeconds: 10 terminationGracePeriodSeconds: 10
serviceAccountName: {{ template "vault.fullname" . }} serviceAccountName: {{ template "vault.fullname" . }}
securityContext: securityContext:
{{- if .Values.server.securityContext.readOnlyRootFilesystem }}
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
{{- end }}
runAsNonRoot: true runAsNonRoot: true
runAsGroup: {{ .Values.server.gid | default 1000 }} runAsGroup: {{ .Values.server.gid | default 1000 }}
runAsUser: {{ .Values.server.uid | default 100 }} runAsUser: {{ .Values.server.uid | default 100 }}

33
test/unit/server-dev-statefulset.bats
View file

@ -314,7 +314,7 @@ load _helpers
#-------------------------------------------------------------------- #--------------------------------------------------------------------
# Security Contexts # Security Contexts
@test "server/standalone-StatefulSet: uid default" { @test "server/dev-StatefulSet: uid default" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-statefulset.yaml \ -x templates/server-statefulset.yaml \
@ -324,7 +324,7 @@ load _helpers
[ "${actual}" = "100" ] [ "${actual}" = "100" ]
} }
@test "server/standalone-StatefulSet: uid configurable" { @test "server/dev-StatefulSet: uid configurable" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-statefulset.yaml \ -x templates/server-statefulset.yaml \
@ -335,7 +335,7 @@ load _helpers
[ "${actual}" = "2000" ] [ "${actual}" = "2000" ]
} }
@test "server/standalone-StatefulSet: gid default" { @test "server/dev-StatefulSet: gid default" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-statefulset.yaml \ -x templates/server-statefulset.yaml \
@ -345,7 +345,7 @@ load _helpers
[ "${actual}" = "1000" ] [ "${actual}" = "1000" ]
} }
@test "server/standalone-StatefulSet: gid configurable" { @test "server/dev-StatefulSet: gid configurable" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-statefulset.yaml \ -x templates/server-statefulset.yaml \
@ -356,7 +356,7 @@ load _helpers
[ "${actual}" = "2000" ] [ "${actual}" = "2000" ]
} }
@test "server/standalone-StatefulSet: fsgroup default" { @test "server/dev-StatefulSet: fsgroup default" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-statefulset.yaml \ -x templates/server-statefulset.yaml \
@ -366,7 +366,7 @@ load _helpers
[ "${actual}" = "1000" ] [ "${actual}" = "1000" ]
} }
@test "server/standalone-StatefulSet: fsgroup configurable" { @test "server/dev-StatefulSet: fsgroup configurable" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-statefulset.yaml \ -x templates/server-statefulset.yaml \
@ -376,3 +376,24 @@ load _helpers
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ] [ "${actual}" = "2000" ]
} }
@test "server/dev-StatefulSet: readOnlyRootFilesystem default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/dev-StatefulSet: readOnlyRootFilesystem configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.dev.enabled=true' \
--set 'server.securityContext.readOnlyRootFilesystem=false' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "null" ]
}

33
test/unit/server-ha-statefulset.bats
View file

@ -509,7 +509,7 @@ load _helpers
#-------------------------------------------------------------------- #--------------------------------------------------------------------
# Security Contexts # Security Contexts
@test "server/standalone-StatefulSet: uid default" { @test "server/ha-StatefulSet: uid default" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-statefulset.yaml \ -x templates/server-statefulset.yaml \
@ -519,7 +519,7 @@ load _helpers
[ "${actual}" = "100" ] [ "${actual}" = "100" ]
} }
@test "server/standalone-StatefulSet: uid configurable" { @test "server/ha-StatefulSet: uid configurable" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-statefulset.yaml \ -x templates/server-statefulset.yaml \
@ -530,7 +530,7 @@ load _helpers
[ "${actual}" = "2000" ] [ "${actual}" = "2000" ]
} }
@test "server/standalone-StatefulSet: gid default" { @test "server/ha-StatefulSet: gid default" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-statefulset.yaml \ -x templates/server-statefulset.yaml \
@ -540,7 +540,7 @@ load _helpers
[ "${actual}" = "1000" ] [ "${actual}" = "1000" ]
} }
@test "server/standalone-StatefulSet: gid configurable" { @test "server/ha-StatefulSet: gid configurable" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-statefulset.yaml \ -x templates/server-statefulset.yaml \
@ -551,7 +551,7 @@ load _helpers
[ "${actual}" = "2000" ] [ "${actual}" = "2000" ]
} }
@test "server/standalone-StatefulSet: fsgroup default" { @test "server/ha-StatefulSet: fsgroup default" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-statefulset.yaml \ -x templates/server-statefulset.yaml \
@ -561,7 +561,7 @@ load _helpers
[ "${actual}" = "1000" ] [ "${actual}" = "1000" ]
} }
@test "server/standalone-StatefulSet: fsgroup configurable" { @test "server/ha-StatefulSet: fsgroup configurable" {
cd `chart_dir` cd `chart_dir`
local actual=$(helm template \ local actual=$(helm template \
-x templates/server-statefulset.yaml \ -x templates/server-statefulset.yaml \
@ -571,3 +571,24 @@ load _helpers
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ] [ "${actual}" = "2000" ]
} }
@test "server/ha-StatefulSet: readOnlyRootFilesystem default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ha-StatefulSet: readOnlyRootFilesystem configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
--set 'server.securityContext.readOnlyRootFilesystem=false' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "null" ]
}

19
test/unit/server-statefulset.bats
View file

@ -592,3 +592,22 @@ load _helpers
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ] [ "${actual}" = "2000" ]
} }
@test "server/standalone-StatefulSet: readOnlyRootFilesystem default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/standalone-StatefulSet: readOnlyRootFilesystem configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.securityContext.readOnlyRootFilesystem=false' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "null" ]
}

4
values.yaml
View file

@ -14,6 +14,10 @@ server:
# Resource requests, limits, etc. for the server cluster placement. This # Resource requests, limits, etc. for the server cluster placement. This
# should map directly to the value of the resources field for a PodSpec. # should map directly to the value of the resources field for a PodSpec.
# By default no direct resource request is made. # By default no direct resource request is made.
securityContext:
readOnlyRootFilesystem: true
resources: resources:
# resources: # resources:
# requests: # requests: